Fix OAuth2 token lingering after revocation